The Nigerian Data Protection Commission (the “Commission”) is an independent regulatory body created by the Nigeria Data Protection Act, 2023 (the “Act”) to regulate the processing of personal information in Nigeria. The primary mandate of the Commission is to regulate the processing of personal data within the territorial boundaries of Nigeria. Recently, the Commission issued a directive mandating "ALL entities" that collect personal data of individuals in Nigeria to undergo compulsory registration. The deadline for this mandatory registration has been set for June 30th, 2024. In support of its position on the mandatory registration of all data controllers and processors handling the personal data of individuals in Nigeria, the Commission has cited Section 5(d) of the Act.
However, it is our firm belief that this interpretation of Section 5(d) of the Act is erroneous. The aforementioned section stipulates that "The Commission shall register data controllers and processors of major importance."
According to Section 65, the definition section of the Act, a data controller and processor of major importance “means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as the Commission may designate.” The interpretation of this section is as follows:
The Act intends for the Commission to stipulate a specific threshold of data subjects, the processing of which would qualify a data controller or processor to be considered of major importance.
Alternatively, the Act intends that the Commission designate a class of data controllers and processors as such of major importance because they process data that is of particular value or significance to Nigeria’s economy, society, or security. For instance, the EU Digital Markets Act 2022, introduced the classification of certain players as "Gatekeepers" owing to their substantial influence and dominance within their respective markets.
The Act does not imply that all data controllers and processors should be automatically regarded as being of major importance. If such were the intention, the Act would have explicitly stated so.
While it is acknowledged that the Commission is, by Section 7 of the Act, independent in the performance of its functions, this independence should not be construed as the ability to import a meaning that is at variance with the intent of the draftsmen. The Supreme Court in Ugo-Ngadi v. F.R.N (2018) 8 NWLR (Pt.1620) 29 SC remarked that “it is a cardinal principle of interpretation that the words of a statute that are unambiguous must be given their ordinary grammatical meaning.” Consequently, the Commission is bound by the literal definition of "data controllers and processors of major importance" as provided in the Act, necessitating the creation of specific designations rather than the indiscriminate inclusion of every data controller and processor into this special category. The approach the Commission wants to adopt would require every business, regardless of the volume of personal data collected, to register for a fee, thereby introducing an additional layer of obligation not envisaged by the Act.
It is pertinent to note that as of 2020, Nigeria's Ease of Doing Business (EDB) ranking stood at 131 out of 190 countries, with a general score of 56.9. In light of the country's current economic challenges, the government's focus should be on reducing barriers and fostering a conducive environment for businesses, particularly small and medium-sized enterprises (SMEs), to thrive and grow. It is worth recalling that the primary objective of the Business Facilitation Act, 2023, is to streamline business operations in Nigeria by eliminating administrative obstacles. By imposing an additional obligation on SMEs, instead of concentrating on the entities that the phrase "data controllers and processors of major importance" was intended to encompass, the Commission may inadvertently hinder the creation of a conducive environment for all businesses.
Conclusion
The recent directive issued by the Nigerian Data Protection Commission, mandating compulsory registration for all entities engaged in the collection of personal data within the Nigerian jurisdiction, necessitates a thorough reevaluation. While the Commission's intention to safeguard the privacy of personal data is undoubtedly commendable, it is essential to address the apparent deviation from the legislative intent behind the Nigeria Data Protection Act.
It is imperative that the Commission prioritise the designation of data controllers and processors of major importance, as outlined in the Nigeria Data Protection Act. This designation should be based on clearly defined criteria stipulated within the Act, ensuring that only entities meeting these specified criteria are subject to mandatory registration.
To uphold the principles enshrined in the Act and foster a conducive environment for business operations, it is crucial for the Commission to reconsider its approach. Rather than imposing additional burdens on all businesses, including small and medium-sized enterprises (SMEs), the Commission should strategically focus its regulatory efforts on entities that meet the criteria outlined in the Act. This targeted approach would not only ensure adherence to the law but also align with the government's broader objectives of promoting economic growth and facilitating seamless business operations.